Intrusion prevention can be a useful method of blocking attacks against known vulnerabilities. In this video, you’ll learn about IPS failure modes, device connections, and differences between active and passive monitoring.
An intrusion prevention system, or IPS, is designed to watch traffic traverse the network in real time. If there’s anything inside the traffic that could be interpreted as dangerous or an exploit, it can be blocked immediately by the IPS. This might be a known vulnerability, such as an exploit against an operating system or a known vulnerability in an application, or it might be something more generic like a buffer overflow or a SQL injection.
You might also see a reference to an intrusion detection system, or an IDS, which is able to alert you that these vulnerabilities are traversing your network. But an IDS can’t block any of that traffic. That’s why we have intrusion prevention systems so that you can prevent that information from getting into your network if it’s identified.
One of the challenges with security devices that sit in line to monitor traffic going by is that those devices can occasionally fail. They might lose power, there might be a hardware problem, or it might be that there’s a bug in the software and the system crashes. If this device is in line, what happens to your network traffic when that device fails? There are different scenarios depending on the engineering of that device.
If this device has been configured as fail-open when there’s a crash or it becomes unavailable, the data will continue to flow through that connection. Obviously there will be no security processes occurring, but at least the network will remain up and running. If this is a fail-closed system and the device crashes, not only will the security process no longer operate, but your network connection will be severed and there’ll be no communication through that link.
Obviously, most networks would probably prefer to have a fail-open system, but that’s not always the case for every security device. So you’ll need to check the documentation of what you’re using to see whether it’s fail-open or fail-closed. The need to have something this fail-open or fail-closed is important when the device is inline and performing active monitoring.
This is an example of an inline configuration. There is an internet connection. A firewall. There’s a core switch, and between the firewall and the switch is an IPS that is put inline doing active monitoring. As traffic traverses this link between the core switch and the firewall, the IPS is examining all of the traffic, making a decision on whether the traffic is legitimate or potentially malicious, and then it can block that traffic in the IPS itself.
Because an IPS is designed to block traffic in real time, an active monitoring configuration is often the default config. But there may be reasons that your organization is uncomfortable with an actively monitoring system. There may be a concern that an outage would cause downtime for the rest of the network, or they might be concerned that the IPS would be too aggressive with blocking traffic and would be blocking legitimate traffic instead of malicious traffic.
In that case, the organization may feel more comfortable with a passive monitoring solution. With passive monitoring, devices can communicate to each other normally through a switch, and the switch is taking a copy of that traffic and sending it to the IPS. Since the IPS is not in line with the normal network communication between the devices and the switch, it can’t cause any downtime to the network.
But because it’s not inline, it also has limited capabilities for blocking traffic. We often refer to this as an IDS design, even though we’re using an IPS, because the IPS is not inline and it’s not able to block traffic in real time. Here’s a better view of this active monitoring configuration. We’ll put some traffic on the network. This traffic will pass through the firewall. It will pass through the IPS where it will be evaluated. And if this traffic is legitimate and doesn’t contain any vulnerabilities, it will pass on through to the core switch.
The advantage of having active monitoring is that if traffic does come through the network and passes into the IPS, the IPS can identify potential attacks and block them immediately. At this point, the traffic is simply removed from the network and it’s never sent through to the core switch.
A passive monitor requires that you have some type of method for receiving a copy of the traffic. This might be built into the switch and called a port mirror or a SPAN. That refers to a Switch Port Analyzer. Or you might use a physical network tap to break into a physical connection.
With passive monitoring, any traffic sent in to the switch will be duplicated. One copy will be sent on its way to the destination and another copy will be sent to the IPS for evaluation. This happens with all traffic traversing the switch where a duplicate is made, the destination receives a copy of that traffic, and the IPS also receives a copy of that traffic. This is a great way to identify and alert on malicious traffic, but it obviously isn’t stopping the traffic from getting to the destination device.